I paused a TV show last week as one of those lower-third ads promoting the local newscast was displayed. It screamed, "Encryption preventing police from catching criminals, more at 11." There’s nothing subtle about that, I pointed out to my wife, nothing at all. Clearly, this "encryption" stuff is very dangerous and should be made illegal, right?
Then the world was scarred by the attacks in Paris a few days later. Before any real news about the attacks made it to the mainstream media, we were already hearing how encryption was the reason these attacks succeeded. The New York Times posted a story to that effect, then pulled it and redirected the link to a completely different article about France’s retaliation. The Wayback Machine still has the original, which states, “The attackers are believed to have communicated using encryption technology.” This is the functional equivalent of stating, “The attackers are believed to have communicated using words or sounds.”
As it happens, we've since found out that the attackers communicated through normal, plaintext communications channels. (Note that Schneier's title is somewhat of a joke -- double ROT-13 encryption is no encryption at all.)
Yet we continue to hear from politicians and the mainstream media about how we need to add backdoors to encryption protocols, or do away with encryption altogether. According to Wired, the use of encryption will be a key issue in the 2016 U.S. presidential race. Given the general buffoonery that already surrounds the contest, I suppose that adding one more completely irrelevant and nonsensical talking point shouldn’t be surprising.
The fact is all this talk of the encryption boogeyman is not based on facts. This rhetoric could only succeed with people who do not understand the technology -- but that might be enough to compromise the security of every person on earth and make criminals extremely happy.
Adding backdoors to new encryption methods would render them useless. Mandating their use in common communications protocols would necessarily compromise those protocols and those communications -- not for the governments that wish to have this access, but to the criminal elements that would use those backdoors as soon as they were available. Those who are smart enough to use encryption to hide their criminal communications will continue to do so without any problems or interference. Strong encryption already exists -- we can't erase it.
This isn’t a game, and it isn’t up for debate. It’s reality.
As we’ve seen with Paris, plaintext communications on public communication networks were not detected by authorities, and there’s absolutely no reason to think that allowing these authorities unfettered access to all encrypted communications throughout the world would lead to a different outcome. Precisely the opposite: It would put the whole world in jeopardy.
But these simple facts alone won’t stop the antiencryption rhetoric. Intelligence agencies in many countries are using the events in Paris to push for expanded powers and to demonize the very concept of encryption -- a ploy that is absurd to anyone in the computing field. All we can do to combat this wave of misinformation is to talk with the nontechies around us and try to explain what’s actually going on here. To listen to the mainstream media, you'd think the future of the world is being held hostage by 3DES.
The old saw about “if you have nothing to hide, why are you worried” was always a terrible response. Ask them for their Social Security number, health records, and banking information. Do they lock their doors? After all, they have nothing to hide, right? Then remind them that strong encryption is the only way their sensitive information stays safe.
As an IT veteran, this attack on encryption is utterly baffling, unless it is purely for political purposes. There’s no technical merit to any part of this argument. There’s only woeful or willful ignorance. The best way to fight that is with facts. It’s a battle that by all reason shouldn’t have to be fought, but it’s a battle we must win.